Cyber Incident Victim: MakeMyTrip
Date:
Dec 2016
Location:
India
Summary
A group of hackers manipulated payment gateway vulnerabilities to fraudulently obtain vouchers worth Rs92 lakh from an e-commerce platform administering gyftr.com. The attackers, led by Sunny Nehra, exploited a weakness in PayU's system by intercepting payment processing pages, altering transaction values from high amounts to nominal sums like Re1 while using counterfeit credit cards. These compromised vouchers were then utilized across multiple online services including MakeMyTrip for unauthorized purchases of goods, travel bookings, and luxury items. The perpetrators maintained transient lifestyles funded by their activities until law enforcement traced them through digital footprints linked to purchased devices and social media profiles, leading to their arrest following a complaint by the affected voucher provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 30, 2016, representatives of an e-commerce platform administering gyftr.com filed a complaint with Delhi’s Hauz Khas police, reporting fraudulent acquisition of vouchers worth ₹92 lakh (approximately $138,000 USD at the time). The attackers, led by 18-year-old Sunny Nehra—a BTech dropout—exploited vulnerabilities in the PayU payment gateway during voucher purchases. Using credit/debit cards obtained through fake documentation, they initiated transactions on gyftr.com. At the critical payment processing stage, where users are typically instructed not to refresh or cancel, the hackers intentionally canceled transactions to freeze the page. They then manipulated source code parameters to alter voucher values—for instance, changing a ₹5,000 voucher to ₹1—before completing payments. This manipulation bypassed payment validation checks due to previously decoded source code vulnerabilities.
The stolen vouchers were extensively used across multiple e-commerce platforms, including MakeMyTrip, Flipkart, Amazon, Dominos Pizza, Myntra, and Shoppers Stop. Investigators traced the fraud through IP addresses linked to high-value purchases—such as iPhones and iPads—made with the vouchers. These digital footprints led to Nehra’s Facebook profile, where he and his associates flaunted luxury lifestyles funded by the scheme, including stays at five-star hotels, flights, BMW/Mercedes rentals, and discounted sales of electronics to friends. A special police team apprehended Nehra at a Gurgaon hotel in January 2017, followed by the arrests of three accomplices: two BTech dropouts, one engineering student, and a Delhi University BCA student. The group had collaborated with hackers in India, the Netherlands, and Indonesia, using specialized software and a high-performance Dell laptop (256GB RAM) tailored for hacking suites. The incident marked Delhi’s first documented case of large-scale "digital shoplifting" via payment gateway tampering, resulting in direct financial losses for gyftr.com and secondary impacts on partnered platforms where illicitly obtained vouchers were redeemed.